Missing Subresource Integrity (SRI) Attributes #5584
Description
Is your feature request related to a problem? Please describe.
While running automated Attack Surface Monitoring for our ISO 27001 certification, our security tooling flagged an informational issue regarding the HTML responses generated by the Nango frontend.
Specifically, the application loads external scripts and stylesheets (via <script> and <link> tags) without the Subresource Integrity (SRI) integrity attribute.
Describe the solution you'd like
It would be great to add SRI hashes (integrity="sha384-...") and the crossorigin="anonymous" attribute to any third-party CDN assets loaded by the application.
This ensures that if a third-party CDN is ever compromised, the browser will refuse to execute the maliciously altered script or apply the altered stylesheet, protecting end-users from potential supply-chain attacks.
Describe alternatives you've considered
Since we are using the official, self-hosted Docker image, manually patching the HTML files on our end isn't sustainable, as those changes would be overwritten on the next image pull. Therefore, implementing this upstream is the best approach.
Additional context
This is generally considered a low-hanging fruit for security hardening and is often flagged by compliance and bug bounty scanners.
Tools like SRI Hash Generator can be used to easily generate the required hashes for the currently used script/stylesheet versions.
Thanks for the great work on Nango! Let me know if you need any more details.